About the SSL Checker
The SSL Checker opens a TLS connection to any HTTPS host, captures the full certificate chain, and inspects every field — issuer, subject, SANs, validity dates, key type + size, signature algorithm, serial number, SHA-256 / SHA-1 fingerprints, and key usage extensions. It also captures the negotiated protocol version (TLS 1.2 / 1.3) and cipher suite.
The tool deliberately does not validate the peer, so it will still return data for expired, self-signed, or hostname-mismatched certificates — the point is to help you diagnose what's broken. Every issue is highlighted as a warning at the top.
What the check reports
🔒 Overview
Certificate CN, days until expiry (with color-coded urgency — green > 30 days, amber < 30, red < 7 or expired), TLS version, and cipher.
📋 Subject & issuer
Full DN strings for both. Modern browsers ignore the Common Name — the SAN list is what matters.
🌐 SANs (Subject Alternative Names)
The list of hostnames the certificate is valid for. Wildcards (*.example.com) match exactly one label. The tool checks whether the queried host is in the SAN list and warns if not.
🔑 Key & signature
Key type (RSA / EC), key size in bits, and signature algorithm. Warns for RSA under 2048 bits or SHA-1 / MD5 signatures.
📅 Validity
Not-before / not-after dates, days remaining, and expired/not-yet-valid flags.
🔗 Full chain
Every certificate the server sent — leaf, intermediates, and (if included) root. Each is shown with subject + issuer + validity.
TLS versions in 2026
- TLS 1.3 — the current standard. Uses forward-secret key exchange only, dropped all legacy ciphers, faster handshake (1-RTT). If you're running a modern web server, default to this.
- TLS 1.2 — still widely supported and secure when paired with modern ciphers. Fine for legacy client compatibility.
- TLS 1.1 / 1.0 / SSL 3.0 / SSL 2.0 — deprecated. Modern browsers reject them. If a server still supports these, disable them.
Wildcards, SANs, and CN
Every modern browser ignores the certificate's Common Name (CN) and validates only against the Subject Alternative Names (SANs) list. A cert with SAN *.example.com covers www.example.com and api.example.com — but not example.com itself, and not foo.bar.example.com. For the apex domain you need both example.com and *.example.com in the SANs. The tool checks the queried host against the SAN list and warns on mismatch.
Privacy & SSRF guard
Rate-limited to 30 requests per minute per IP. Refuses to connect to private/internal IP ranges. 8-second connection timeout. Nothing is stored.